Tighten up security of automation project (CSPR-related) (#2009)
* enforce compute/iam policies on the automation project * tests
This commit is contained in:
parent
6b4dad01d6
commit
c5416f3af1
|
@ -108,32 +108,47 @@ module "automation-project" {
|
|||
role = "roles/serviceusage.serviceUsageViewer"
|
||||
}
|
||||
}
|
||||
services = [
|
||||
"accesscontextmanager.googleapis.com",
|
||||
"bigquery.googleapis.com",
|
||||
"bigqueryreservation.googleapis.com",
|
||||
"bigquerystorage.googleapis.com",
|
||||
"billingbudgets.googleapis.com",
|
||||
"cloudbilling.googleapis.com",
|
||||
"cloudbuild.googleapis.com",
|
||||
"cloudkms.googleapis.com",
|
||||
"cloudresourcemanager.googleapis.com",
|
||||
"container.googleapis.com",
|
||||
"compute.googleapis.com",
|
||||
"container.googleapis.com",
|
||||
"essentialcontacts.googleapis.com",
|
||||
"iam.googleapis.com",
|
||||
"iamcredentials.googleapis.com",
|
||||
"orgpolicy.googleapis.com",
|
||||
"pubsub.googleapis.com",
|
||||
"servicenetworking.googleapis.com",
|
||||
"serviceusage.googleapis.com",
|
||||
"sourcerepo.googleapis.com",
|
||||
"stackdriver.googleapis.com",
|
||||
"storage-component.googleapis.com",
|
||||
"storage.googleapis.com",
|
||||
"sts.googleapis.com"
|
||||
]
|
||||
org_policies = var.bootstrap_user != null ? {} : {
|
||||
"compute.skipDefaultNetworkCreation" = {
|
||||
rules = [{ enforce = true }]
|
||||
}
|
||||
"iam.automaticIamGrantsForDefaultServiceAccounts" = {
|
||||
rules = [{ enforce = true }]
|
||||
}
|
||||
"iam.disableServiceAccountKeyCreation" = {
|
||||
rules = [{ enforce = true }]
|
||||
}
|
||||
}
|
||||
services = concat(
|
||||
[
|
||||
"accesscontextmanager.googleapis.com",
|
||||
"bigquery.googleapis.com",
|
||||
"bigqueryreservation.googleapis.com",
|
||||
"bigquerystorage.googleapis.com",
|
||||
"billingbudgets.googleapis.com",
|
||||
"cloudbilling.googleapis.com",
|
||||
"cloudkms.googleapis.com",
|
||||
"cloudresourcemanager.googleapis.com",
|
||||
"essentialcontacts.googleapis.com",
|
||||
"iam.googleapis.com",
|
||||
"iamcredentials.googleapis.com",
|
||||
"orgpolicy.googleapis.com",
|
||||
"pubsub.googleapis.com",
|
||||
"servicenetworking.googleapis.com",
|
||||
"serviceusage.googleapis.com",
|
||||
"sourcerepo.googleapis.com",
|
||||
"stackdriver.googleapis.com",
|
||||
"storage-component.googleapis.com",
|
||||
"storage.googleapis.com",
|
||||
"sts.googleapis.com"
|
||||
],
|
||||
# enable specific service only after org policies have been applied
|
||||
var.bootstrap_user != null ? [] : [
|
||||
"cloudbuild.googleapis.com",
|
||||
"compute.googleapis.com",
|
||||
"container.googleapis.com",
|
||||
]
|
||||
)
|
||||
}
|
||||
|
||||
# output files bucket
|
||||
|
|
|
@ -59,6 +59,7 @@ resource "google_project_service" "project_services" {
|
|||
service = each.value
|
||||
disable_on_destroy = var.service_config.disable_on_destroy
|
||||
disable_dependent_services = var.service_config.disable_dependent_services
|
||||
depends_on = [google_org_policy_policy.default]
|
||||
}
|
||||
|
||||
resource "google_compute_project_metadata_item" "default" {
|
||||
|
|
|
@ -361,7 +361,7 @@ counts:
|
|||
google_bigquery_default_service_account: 3
|
||||
google_logging_organization_sink: 3
|
||||
google_logging_project_bucket_config: 3
|
||||
google_org_policy_policy: 13
|
||||
google_org_policy_policy: 16
|
||||
google_organization_iam_binding: 23
|
||||
google_organization_iam_custom_role: 6
|
||||
google_organization_iam_member: 35
|
||||
|
@ -380,4 +380,4 @@ counts:
|
|||
google_tags_tag_key: 1
|
||||
google_tags_tag_value: 1
|
||||
modules: 16
|
||||
resources: 177
|
||||
resources: 180
|
||||
|
|
|
@ -17,7 +17,7 @@ counts:
|
|||
google_bigquery_default_service_account: 3
|
||||
google_logging_organization_sink: 3
|
||||
google_logging_project_bucket_config: 3
|
||||
google_org_policy_policy: 13
|
||||
google_org_policy_policy: 16
|
||||
google_organization_iam_binding: 23
|
||||
google_organization_iam_custom_role: 6
|
||||
google_organization_iam_member: 22
|
||||
|
@ -37,7 +37,7 @@ counts:
|
|||
google_tags_tag_value: 1
|
||||
local_file: 7
|
||||
modules: 15
|
||||
resources: 168
|
||||
resources: 171
|
||||
|
||||
outputs:
|
||||
custom_roles:
|
||||
|
|
Loading…
Reference in New Issue